Category:WASS Validate Outputs

Validate outputs

Applications continually display outputs either based on, or containing user inputs. Just as important it is to validate data coming into an application, it is necessary to validate outputs to other users.

The application must encode data when it is outputted so that it does not represent an alternate meaning. Specifically

All outputs that are derived from user data should be HTML encoded to avoid cross-site scripting vulnerabilities, amongst other potential attacks.

When error messages are generated, they should not disclose internal application information, or other sensitive data.